1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-29 11:21:54 +03:00
Commit Graph

33 Commits

Author SHA1 Message Date
Andrew Bartlett
e249bdd32e s3-gse: align common elements between gse_context and gensec_gssapi_state
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:25 +01:00
Andrew Bartlett
45ec777e0e s3-gse: Make gensec_gse cope with non-DCE GSSAPI
The validation of the mutual authentication reply produces no further
data to send to the server.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:25 +01:00
Stefan Metzmacher
545c1ad1b9 s3-gse: the server should not check for GSS_C_MUTUAL_FLAG
It up to the client to ask for GSS_C_MUTUAL_FLAG,
except for the dcerpc case, where the server is stricter.

metze
2012-01-18 16:23:25 +01:00
Stefan Metzmacher
c5864deadc s3-gse: verify that we got GSS_C_DCE_STYLE when expected
GSS_C_DCE_STYLE implies GSS_C_MUTUAL_FLAG, so also check for it.

metze
2012-01-18 16:23:24 +01:00
Andrew Bartlett
ed88012dd2 s3-gse Remove authenticated flag from gse
The only user for this flag is called only directly after it was set.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
c759097956 s3-gse remove special more_processing hook from gse
The NT_STATUS_MORE_PROCESSING_REQUIRED status code is what gensec
is expecting in any case.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
5b90bcf83b s3-gse Rename gss_c_flags and ret_flags in gse
This make it clearer what type of flags these are and matches
gensec_gssapi

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
cf39b63a7b s3-gse Rename gss_ctx to match gensec_gssapi_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Andrew Bartlett
e8c8d293d8 s3-gse Rename delegated_creds to match gensec_gssapi_context
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:24 +01:00
Stefan Metzmacher
f14bcdf8ec s3-gse gss_wrap_iov_length() only needs the type and length
metze
2012-01-18 16:23:23 +01:00
Andrew Bartlett
23a062b51b s3-gse Make seal parameter a boolean for clarity
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
ad14b8c655 s3-gse Move GSS_C_DCE_STYLE backup definition to gse.c
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
0132cca825 s3-gse Add const
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
90efbe0fad s3-gse Remove or make static unused/local-only GSE functions
The GSE layer is now used via the GENSEC module, so we do not need these
functions exposed any more.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:23 +01:00
Andrew Bartlett
d95d59138c s3-gse Make gse available as a gensec client module
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:22 +01:00
Andrew Bartlett
cbd8231e34 s3-gse: Add gensec wrapper for gse GSSAPI client
This brings in part of the s4 gensec_gssapi as the boilerplate for the
new module.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-18 16:23:21 +01:00
Andrew Bartlett
6412ff84ce s3-librpc Return user principal name on supplied mem_ctx
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-11 08:25:19 +01:00
Stefan Metzmacher
73ed88df35 s3:gse: MIT krb5 1.8.1 has a bug in gss_wrap_iov()
gss_krb5int_make_seal_token_v3_iov() doesn't set '*conf_state'.

metze
2012-01-05 17:17:28 +01:00
Andrew Bartlett
a1fd1a4c65 s3-librpc store the sign/seal flags we got in the gssapi client
Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
860ad734ba s3-libads Factor out a new routine kerberos_get_principal_from_service_hostname()
This is now used in the GSE GSSAPI client, so that when we connect to
a target server at the CIFS level, we use the same name to connect
at the DCE/RPC level.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
25d7675d69 s3-librpc Use gsskrb5_get_subkey() where available to get the session key
This allows gse_get_session_key() to work against Heimdal.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2012-01-05 17:17:28 +01:00
Andrew Bartlett
481f05ce02 s3-gse Work around the MIT 1.9 gss_krb5_import_cred
We detect this function at configure time, but it currently fails to
operate the way we need - that is, when the principal is not
specified, it gives this error.  When the principal is specified we
get 'wrong principal in request' in the GSS acceptor, so for now the
best option is to fall back to the alternate approach.

Andrew Bartlett

Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Jul 20 06:35:05 CEST 2011 on sn-devel-104
2011-07-20 06:35:05 +02:00
Andrew Bartlett
8ee3ba791d s3-gse Allow printing the partial error string
We may not be able to obtain the full error string, so print what we can get.

This is required when the error is the the GSSAPI layer, not the mechanism.

Andrew Bartlett
2011-07-20 12:04:45 +10:00
Michael Adam
05e8881fef s3:librpc: remove unneded gssapi includes from source3/librpc/crypto/gse.c
These come in via the smb_krb5.h include (and lib/replace/system/kerberos.h)
in the end.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Michael Adam <obnox@samba.org>
Autobuild-Date: Tue May 10 23:12:31 CEST 2011 on sn-devel-104
2011-05-10 23:12:31 +02:00
Jeremy Allison
4f41be356a Fix many const compiler warnings. 2011-05-05 10:41:59 -07:00
Andrew Bartlett
91ebf22fa8 s3-rpc_server Fix compile without kerberos
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Wed Apr 27 23:08:48 CEST 2011 on sn-devel-104
2011-04-27 23:08:48 +02:00
Andrew Bartlett
cd7112ba84 s3-gse: Don't release the mech OID from gss_accept_security_context
This is constant data according to the man pages I find for this
fucntion, and causes a segfault to free() when linked to Heimdal.  I
am advised that while it is constant for gss_mech_krb5, it may not be
for other mechanisms, so an assert will ensure this is dealt with by
the programmer who extends this code in future.

Andrew Bartlett
2011-04-27 11:56:48 +10:00
Andrew Bartlett
6ec4306f8c auth/kerberos: Create common helper to get the verified PAC from GSSAPI
This only works for Heimdal and MIT Krb5 1.8, other versions will get
an ACCESS_DEINED error.

We no longer manually verify any details of the PAC in Samba for
GSSAPI logins, as we never had the information to do it properly, and
it is better to have the GSSAPI library handle it.

Andrew Bartlett
2011-04-27 11:56:48 +10:00
Andrew Bartlett
3a2afe4285 s3-gse: Allow the GSSAPI wrapper to load a keytab using gss_krb5_import_cred()
This Heimdal function does not set the global state, and allows the
GSSAPI server to progress further when compiled against Heimdal (such
as in the top level build).

The ability to specify a keytab has been removed from the API as it is
unused, and and the Heimdal function (avoiding setting global
variables) works with an open keytab.

Andrew Bartlett
2011-04-20 04:31:07 +02:00
Andrew Bartlett
1f534422cc s3-gse Allow GSSAPI wrapper to compile against Heimdal 2011-04-16 11:43:05 +02:00
Simo Sorce
4194383cfe gssapi: remove unused function argument
Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-23 10:36:54 -07:00
Simo Sorce
412ebad02b gssapi: avoid explicit dependency on dcerpc specific structures
Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-23 10:36:54 -07:00
Simo Sorce
0e5eb82a6f s3-dcerpc: move crypto stuff in /librpc/crypto
Signed-off-by: Günther Deschner <gd@samba.org>
2010-09-23 10:36:54 -07:00